CN102055733A - Method, device and system for negotiating business bearing tunnels - Google Patents

Method, device and system for negotiating business bearing tunnels Download PDF

Info

Publication number
CN102055733A
CN102055733A CN2009102094271A CN200910209427A CN102055733A CN 102055733 A CN102055733 A CN 102055733A CN 2009102094271 A CN2009102094271 A CN 2009102094271A CN 200910209427 A CN200910209427 A CN 200910209427A CN 102055733 A CN102055733 A CN 102055733A
Authority
CN
China
Prior art keywords
key exchange
internet key
exchange authentication
tunnel
subscriber equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2009102094271A
Other languages
Chinese (zh)
Other versions
CN102055733B (en
Inventor
武二华
高晓峰
蔡安宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 200910209427 priority Critical patent/CN102055733B/en
Publication of CN102055733A publication Critical patent/CN102055733A/en
Application granted granted Critical
Publication of CN102055733B publication Critical patent/CN102055733B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for negotiating business bearing tunnels, which comprises the following steps: receiving an internet key exchange (IKE ) authentication request, wherein the IKE authentication request carries information of non-encrypted tunnels supported by user equipment; when the security level of the business is lower than the preset level, according to the information of the non-encrypted tunnels supported by the user equipment, selecting the non-encrypted tunnels for bearing the business from the non-encrypted tunnels supported by the user equipment; and sending an IKE authentication response, wherein the IKE authentication response carries the information of the non-encrypted tunnels for bearing the business. The invention also discloses a grouping gateway device, the user equipment and a communication system. In the method, the non-encrypted tunnel for bearing the business can be negotiated, so that the encryption/decryption treatment and/or the consistency check are not carried out when the subsequent business bearing is performed, thus reducing the transmission delay of the messages and the device cost.

Description

The method of consultation business service bearing tunnel, equipment and system
Technical field
The present invention relates to communication technical field, relate in particular to method, equipment and the system of consultation business service bearing tunnel.
Background technology
IKE (Internet Key Exchange, the internet key exchange) agreement is IPSec (Internet Protocol Security, the Internet protocol security) the first-selected IKE in the realization, the IKEv2 of new edition (IKE version 2, internet key switch version 2) agreement has kept the basic function of conventional I KE, and revise at the problem of finding in the IKE research process, take into account the needs of terseness, high efficiency, fail safe and robustness simultaneously.By the regulation that minimizes of Core Feature and password default algorithm, the IKEv2 agreement has greatly improved the interoperability of different IP sec system.
The negotiations process of IKEv2 is as follows:
IKEv2 sets up pair of IP Sec_SA (Security Association, Security Association), the negotiation that normal condition uses 4 message of twice exchange just can finish an IKE_SA and pair of IP Sec_SA is set up, if the IPSec_SA that require to set up is when a pair of, each only needs the extra once exchange that increases to IPSec_SA, and just 2 message just can be finished.IKEv2 has defined three kinds alternately: initial mutual (Initial Exchanges), the sub-SA of establishment mutual (CREATE_CHILD_SA Exchange) and information interaction (INFORMATIONAL Exchange).
On the other hand, because NAT (Network Address Translation, network address translation), comprise PAT (Port AddressTranslation, port address conversion), in present network, use very extensive, when having NAT device in the communication link, IPSec-NAT passes through needs to use UDP (UserDatagram Protocol, User Datagram Protoco (UDP)) transmission, therefore need to survey whether there is NAT device earlier in consulting in the initial mutual stage of IKEv2, just carry out NAT and survey.
In order to survey whether there is NAT device in the communication link, can increase by two Notify (circular) load the negotiation both sides, one of them Notify load comprises NAT_DETECTION_SOURCE_IP (NAT surveys source IP address), sign initiator's IP address; Another Notify load comprises NAT_DETECTION_DESTINATION_IP (NAT surveys purpose IP address), sign recipient's (purpose side) IP address.This process is carried out in the stage at the IKE_SA_INIT that IKEv2 consults, wherein, whether aforementioned two Notify load: NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP exist NAT device in order to survey communicating pair, and determine which side is in after the NAT device.In IKEv2, NAT_DETECTION_SOURCE_IP and the NAT_DETECTION_DESTINATION_IP numbering in the Notify type of message is respectively: 16388 and 16389.Load is used general ISAKMP payload header, and the value of load is hash value (IKEv2 regulation use SHA-1), being calculated as follows of hash value:
hash=SHA-1(SPIs|IP|Port)
Wherein, SPIs is the SPI (Security Parameter Index, Security Parameter Index) in the HDR load; IP is the IP address of packet sender or reciever; Port is the port numbers of packet sender or reciever.
After packet is received by response side, the SPIs in the packet, IP address, port numbers are carried out the hash computing, and compare with the Notify load of this locality storage, if do not match, then illustrate to have NAT device in the communication link.If do not match, illustrate that then the initiator is after NAT device with NAT_DETECTION_SOURCE_IP; If do not match with NAT_DETECTION_DESTINATION_IP, then explanation response side is after NAT device.
At least there is following deficiency in the prior art:
The ipsec tunnel of the bearer service of being consulted is an encryption tunnel, when carrying out service bearer by this encryption tunnel, requirement is handled and/or consistency check the encryption and decryption that customer traffic carries out algorithms of different, the propagation delay time of message will be increased, disposal ability to subscriber equipment and packet gateway equipment requires height, equipment cost height.
Summary of the invention
The embodiment of the invention provides a kind of method of consultation business service bearing tunnel, and in order to the consultation business service bearing tunnel, this method comprises:
Receive internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support;
When the service security rank was lower than pre-set level, the information in the non-encrypted tunnel of supporting according to described subscriber equipment was selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported;
Send internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying.
The embodiment of the invention also provides a kind of method of consultation business service bearing tunnel, and in order to the consultation business service bearing tunnel, this method comprises:
Send internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support;
Receive internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, the non-encrypted tunnel of the described business of described carrying be packet gateway equipment when the service security rank is lower than pre-set level, select from the non-encrypted tunnel of described subscriber equipment support according to the information in the non-encrypted tunnel of described subscriber equipment support.
The embodiment of the invention also provides a kind of packet gateway equipment, and in order to the consultation business service bearing tunnel, this packet gateway equipment comprises:
Receiver module is used to receive internet key exchange authentication request, and described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support;
Select module, be used for when the service security rank is lower than pre-set level, the information in the non-encrypted tunnel of supporting according to described subscriber equipment is selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported;
Sending module is used to send internet key exchange authentication response, and described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying.
The embodiment of the invention also provides a kind of subscriber equipment, and in order to the consultation business service bearing tunnel, this subscriber equipment comprises:
Sending module is used to send internet key exchange authentication request, and described internet key exchange authentication request is carried the information in the non-encrypted tunnel of described subscriber equipment support;
Receiver module, be used to receive internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, the non-encrypted tunnel of the described business of described carrying be packet gateway equipment when the service security rank is lower than pre-set level, select from the non-encrypted tunnel of described subscriber equipment support according to the information in the non-encrypted tunnel of described subscriber equipment support.
The embodiment of the invention also provides a kind of communication system, and in order to the consultation business service bearing tunnel, this communication system comprises:
Packet gateway equipment is used to receive internet key exchange authentication request, and described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support; When the service security rank was lower than pre-set level, the information in the non-encrypted tunnel of supporting according to described subscriber equipment was selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported; Send internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying;
Described subscriber equipment is used to send described internet key exchange authentication request; Receive described internet key exchange authentication response.
In the embodiment of the invention, receive internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support; When the service security rank was lower than pre-set level, the information in the non-encrypted tunnel of supporting according to described subscriber equipment was selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported; Send internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, thereby finish the negotiation in service bearer tunnel, the business that is different from the prior art different level of securitys all adopts IKEv2 to consult ipsec tunnel, but be lower than the business of pre-set level for level of security, negotiating bearer should business non-encrypted tunnel, so that it is follow-up when carrying out service bearer, not carrying out encryption and decryption handles and/or consistency check, reduce the propagation delay time and the equipment cost of message, promote professional treatment effeciency.
In the embodiment of the invention, send internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support; Receive internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, the non-encrypted tunnel of the described business of described carrying is that packet gateway equipment is when the service security rank is lower than pre-set level, select from the non-encrypted tunnel of described subscriber equipment support according to the information in the non-encrypted tunnel of described subscriber equipment support, thereby finish the negotiation in service bearer tunnel, the business that is different from the prior art different level of securitys all adopts IKEv2 to consult ipsec tunnel, but be lower than the business of pre-set level for level of security, negotiating bearer should business non-encrypted tunnel, so that it is follow-up when carrying out service bearer, not carrying out encryption and decryption handles and/or consistency check, reduce the propagation delay time and the equipment cost of message, promote professional treatment effeciency.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.In the accompanying drawings:
Fig. 1 is the method process chart of consultation business service bearing tunnel in the embodiment of the invention;
Fig. 2 is the initial interaction diagrams of IKEv2 in the embodiment of the invention;
Fig. 3 is the structural representation of SA load in the embodiment of the invention;
Fig. 4 is the structural representation of security suggestion load in the embodiment of the invention;
Fig. 5 is the UDP packing bearing channel message form schematic diagram of IP and PPP bag in the embodiment of the invention;
Fig. 6 is the method process chart of consultation business service bearing tunnel in the embodiment of the invention;
Fig. 7 is the flow chart of an instantiation of the method for consultation business service bearing tunnel in the embodiment of the invention;
Fig. 8 is for respectively carrying schematic diagram of network segment message format in the customer service stream transmission procedure in the embodiment of the invention;
Fig. 9 is the flow chart of another instantiation of the method for consultation business service bearing tunnel in the embodiment of the invention;
Figure 10 is for respectively carrying another schematic diagram of network segment message format in the customer service stream transmission procedure in the embodiment of the invention;
Figure 11 is the structural representation of packet gateway equipment in the embodiment of the invention;
Figure 12 A, Figure 12 B are the structural representation of an instantiation of packet gateway equipment in the embodiment of the invention;
Figure 13 is the structural representation of subscriber equipment in the embodiment of the invention;
Figure 14 is the structural representation of communication system in the embodiment of the invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer, the embodiment of the invention is described in further details below in conjunction with accompanying drawing.At this, illustrative examples of the present invention and explanation thereof are used to explain the present invention, but not as a limitation of the invention.
There are some business higher in the practical application scene to security requirement, is the significant data of enterprise such as those professional users for the professional transmission of enterprise customer or those, also there are some business lower in addition to security requirement, such as those professional users is that personal user or those business are transmitted HTTP (Hyper Text Transport Protocol, HTML (Hypertext Markup Language)) news, entertainment service; In transmission during to lower professional of security requirement, the unnecessary encryption and decryption of carrying out is handled and/or consistency check, therefore also needn't necessarily adopt IKEv2 to consult ipsec tunnel and carry out service bearer, when the service security requirement is low, can adopt non-encrypted tunnel to carry out service bearer fully, thereby reduce disposal ability requirement, reduce the propagation delay time and the equipment cost of message subscriber equipment and packet gateway equipment.
Based on this, the embodiment of the invention provides a kind of method of consultation business service bearing tunnel, and as shown in Figure 1, the method handling process of this consultation business service bearing tunnel can comprise:
Step 101, reception internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support;
Step 102, when the service security rank is lower than pre-set level, the information in the non-encrypted tunnel of supporting according to described subscriber equipment is selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported;
Step 103, transmission internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying.
Can learn that by flow process shown in Figure 1 in the embodiment of the invention, receive internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support; When the service security rank was lower than pre-set level, the information in the non-encrypted tunnel of supporting according to described subscriber equipment was selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported; Send internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, thereby finish the negotiation in service bearer tunnel, the business that is different from the prior art different level of securitys all adopts IKEv2 to consult ipsec tunnel, but be lower than the business of pre-set level for level of security, negotiating bearer should business non-encrypted tunnel, so that it is follow-up when carrying out service bearer, not carrying out encryption and decryption handles and/or consistency check, reduction is to the disposal ability requirement of subscriber equipment and packet gateway equipment, reduce the propagation delay time and the equipment cost of message, promote professional treatment effeciency.
During concrete enforcement, the information that internet key exchange authentication request is carried the non-encrypted tunnel of subscriber equipment support in the flow process shown in Figure 1 can have multiple implementation, can realize that the information of being carried the non-encrypted tunnel of subscriber equipment support by internet key exchange authentication request gets final product, for example, can indicate the non-encrypted tunnel of subscriber equipment support by this indication information by in internet key exchange authentication request, adding indication information; This indication information can have various ways, for example, this indication information can be the self-defined value of existing field in the internet key exchange authentication request, can indicate the non-encrypted tunnel of subscriber equipment support by this self-defined value by in internet key exchange authentication request, some existing field being provided with self-defined value.
For reducing change to existing protocol, help the follow-up evolution of the subscriber equipment and the packet gateway equipment of consultation business service bearing tunnel, among the embodiment, by in internet key exchange authentication request, some existing field being provided with self-defined value, indicate the non-encrypted tunnel of subscriber equipment support by this self-defined value.Certainly, the field that can select to be used to be provided with self-defined value in the internet key exchange authentication request has a plurality of, the field that privately owned value part (Private use) arranged all can, describe with example with protocol identification field in the security suggestion load in the internet key exchange authentication request below.
For ease of understanding, the structure of security suggestion load in the internet key exchange authentication request in three of brief description IKEv2 kinds of interaction flows and this flow process at first.
IKEv2 has defined three kinds alternately: initial mutual (Initial Exchanges), the sub-SA of establishment mutual (CREATE_CHILD_SA Exchange) and information interaction (INFORMATIONAL Exchange).
Wherein, initial mutual: this process comprises four message, sets up IKE_SA and article one CHILD_SA (sub-SA, i.e. IPSec_SA).Be divided into two stages, be respectively IKE_SA_INIT (IKE_SA initialization), IKE_AUTH (IKE authentication), can set up IKE_SA by the IKE_SA_INIT stage, for follow-up IKEv2 message is created a safe and reliable encrypted transmission passage, that is to say that follow-up IKEv2 negotiation message transmits by this encrypted tunnel, negotiation message was encrypted before transmission.Can set up article one CHILD_SA by the IKE_AUTH stage, promptly create the ipsec security tunnel that first is used for the transmission user business data flow.
It is mutual to create sub-SA: if need to set up many tunnels between two security gateways, then need to carry out the negotiation of next stage, use IKE_SA to generate a plurality of CHILD_SA.This process comprises 2 message, and through encrypting and integrity protection.
Information interaction: IKEv2 has defined information interaction and has been implemented in during the key agreement, and it is wrong or notify some incident that communication one side informs that the other side takes place, this stage initial mutual after, under the IKE_SA that consults to finish protects, carry out information interaction.As delete IPSec_SA, survey the opposite end and whether be under the situation such as existing state and will carry out this type of information exchange.
As shown in Figure 2, the initial interaction flow of IKEv2 comprises IKE_SA initialization (IKE_SA_INIT) stage, finish DH (Diffie-Hellman) exchange, Nonce (random number) exchange, cryptographic algorithm negotiation by IKE_SA_INIT stage both sides, set up IKE_SA, thereby set up a safe and reliable encrypted transmission passage for follow-up IKEv2 interacting message, that is to say that follow-up IKEv2 negotiation message transmits by this encrypted tunnel, negotiation message was encrypted before transmission.
Step 201, initiator (Initiator) initiate the IKE_SA_INIT request, carry SPI, the cryptographic algorithm of suggestion, DH value, Nonce that the initiator distributes in the message;
Step 202, response side (Responder) return IKE_SA_INIT and reply, and comprise SPI, DH value, Nonce that response side distributes in the message, and advise the cryptographic algorithm selected according to the initiator;
The initial interaction flow of KEv2 also comprises IKE authentication (IKE_AUTH) stage, confirms the other side's identity mutually by IKE_AUTH stage both sides exchange id, and set up article one CHILD_SA that this IKE_AUTH stage comprises step 203 and step 204:
Step 203, initiator initiate IKE_AUTH request, carry the initiator ID (for example initiator's name or IP address etc.) of encryption, aforementioned IKE_SA_INIT the request message section of reading, the CHILD_SA that advises etc. really in the message;
Step 204, response side return IKE_AUTH and reply, and comprise the response side ID of encryption, the aforementioned IKE_SA_INIT response message section of reading really in the message, and advise the cryptographic algorithm selected according to the initiator.
The IKE_AUTH stage shown in Figure 2 is a step 203,204, be used for initiator and response side person and confirm both sides' IKE_SA_INIT request by AUTH (authentication) load and reply, and the negotiation establishment first be used for the Internet protocol security alliance (IPSec_SA) of transmission user business data flow.
Consulting the used load of IPSec_SA is SA, in the RFC4306 standard definition, comprises the security suggestion load (Proposal) that a plurality of priority are different in the SA load, is used to reflect user configured ipsec security strategy.Comprise a plurality of different switching load (Transforms) in each security suggestion load, be used to specify cryptographic algorithm and/or verification algorithm in the user configured ipsec security strategy.Can carry zero or a plurality of different parameter (parameter) according to cryptographic algorithm or verification algorithm in each conversion load.The SA load that defines in the RFC4306 standard and the structure of security suggestion load have been provided among Fig. 3, Fig. 4 respectively.
Main field among Fig. 3 in the SA load comprises: next load (Next Payload), importance indication (C:Critical), reserved field (RESERVED), loaded length (Payload Length), security suggestion load (Proposal);
Main Field Definition and value among Fig. 4 in the security suggestion load are as follows:
Protocol-identifier (Protocol ID): be used to indicate ipsec protocol ID, value and implication as shown in Table 1:
Table one Protocol ID value and implication
Security Parameter Index size (SPI Size): indication SPI's is the length of unit with the byte, if be 0, does not then have the SPI field;
Security Parameter Index (SPI): initiator's SPI;
#of Transforms: the number of conversion load.
For supporting to consult non-encrypted tunnel by IKEv2, realize the non-encrypted tunnel that internet key exchange authentication request indication subscriber equipment is supported, in this example, carried out self-defined to the privately owned value part of (Protocol ID) field of protocol-identifier in the security suggestion load, the value of protocol identification field and the corresponding relation in non-encrypted tunnel in the predefine security suggestion load, thereby in the internet key exchange authentication request of follow-up transmission, by the value of protocol identification field in the security suggestion load is set, with the non-encrypted tunnel of indication subscriber equipment support.Table two is for example understood a kind of customized example to the privately owned value part of protocol identification field:
The privately owned value part definition of table two Protocol id field
Figure B2009102094271D0000111
In the table two, Protocol ID value is 201 and 202 UDP-IP (Internet Protocol, Internet protocol) and UDP-PPP (The Point-to-Point Protocol, point-to-point protocol) is used for existing under the NAT device situation between subscriber equipment and the packet gateway equipment, the UDP packing bearing of representing IP and PPP bag respectively, corresponding channel message form as shown in Figure 5.
The source of UDP among Fig. 5, destination slogan are selected consistent with IKEv2, are used to support that NAT passes through.SPI consults to obtain by IKEv2, and is identical with the SPI mode of consulting ipsec tunnel.
Protocol ID value is that 203,204,205 protocol definition is followed associated tunnel consensus standard (respectively referring to RFC2003, RFC1701, RFC2004), is used for the carrying of the tunnel under the no NAT device situation between subscriber equipment and the packet gateway equipment.
In the table two predefine the value of protocol identification field and the corresponding relation in non-encrypted tunnel in the security suggestion load, when wherein Protocol ID value is 201-205 corresponding to the protocol type in different non-encrypted tunnels, can determine corresponding tunnel protocol type by Protocol ID value, thereby determine to support the non-encrypted tunnel of this protocol type; Certainly, the corresponding relation in the table two is an instantiation, and the corresponding relation of the value of protocol identification field in non-encrypted tunnel and the security suggestion load (Protocol ID value) can change, but the two corresponding relation of predefine when specifically implementing.Except that the protocol type in several non-encrypted tunnels shown in the table two, the embodiment of the invention also may be implemented in the non-encrypted tunnel of other type, and execution mode all with similar shown in the table two, repeats no more here.
The value of protocol identification field in the security suggestion load is set by the foregoing description, after realization is carried the information in the non-encrypted tunnel that subscriber equipment supports by internet key exchange authentication request, be lower than pre-set level in the service security rank, promptly when business is low to security requirement, from the non-encrypted tunnel that subscriber equipment is supported, select before the non-encrypted tunnel of the described business of carrying, also need determine the non-encrypted tunnel that subscriber equipment is supported, for example can read the indication information that carries in the described internet key exchange authentication request, the non-encrypted tunnel that this indication information indication subscriber equipment is supported; According to this indication information, determine the non-encrypted tunnel that subscriber equipment is supported; And for example, can exchange the protocol identification field in the security suggestion load in the authentication request, determine the non-encrypted tunnel that subscriber equipment is supported according to internet key.
During concrete enforcement, can read in the described internet key exchange authentication request value of protocol identification field in the security suggestion load earlier; According to the value of protocol identification field and the corresponding relation in non-encrypted tunnel in value that reads and the predefined security suggestion load, determine the non-encrypted tunnel that subscriber equipment is supported again.Wherein, the corresponding relation in the value of protocol identification field and non-encrypted tunnel can be stored in the device in the predefined security suggestion load, and this device can be a subscriber equipment, also can be packet gateway equipment, can also be the miscellaneous equipment in the network, can provide memory function to get final product; During enforcement, obtain this corresponding relation, and, determine the non-encrypted tunnel that subscriber equipment is supported according to the value of protocol identification field in the security suggestion load in the internet key exchange authentication request that receives from this storage device; Because at least one security suggestion load of portability in the internet key exchange authentication request, therefore include at least one protocol identification field, can determine at least a non-encrypted tunnel that subscriber equipment is supported according to the value of these at least one protocol identification fields; Follow-uply from least a non-encrypted tunnel of subscriber equipment support, select a kind of non-encrypted tunnel that is used for bearer service; During selection certain rule can be set, for example select, perhaps also can select at random by the value size of field.For example, when in internet key exchange authentication request, including value and be 201,202,203 protocol identification field, the non-encrypted tunnel that can determine the subscriber equipment support has three kinds, is respectively: the non-encrypted tunnel of the non-encrypted tunnel of UDP-IP bearing tunnel mode, UDP-PP bearing tunnel mode, the non-encrypted tunnel of IPinIP bearing tunnel mode; Then can from these three kinds of non-encrypted tunnels, select a kind of non-encrypted tunnel, for example select the non-encrypted tunnel of the non-encrypted tunnel of UDP-IP bearing tunnel mode as bearer service as bearer service.
During concrete enforcement, the implementation of information of carrying the non-encrypted tunnel that subscriber equipment supports with aforementioned internet key exchange authentication request is similar, the information that internet key exchange authentication response is carried the non-encrypted tunnel of bearer service in the flow process shown in Figure 1 also can have multiple implementation, can realize that the information of being carried the non-encrypted tunnel of bearer service by internet key exchange authentication response gets final product, for example, can indicate the non-encrypted tunnel of bearer service by this indication information by in internet key exchange authentication response, adding indication information; This indication information can have various ways, for example, this indication information can be the self-defined value of existing field in the internet key exchange authentication response, can indicate the non-encrypted tunnel of bearer service by this self-defined value by in internet key exchange authentication response, some existing field being provided with self-defined value.
For reducing change to existing protocol, help the follow-up evolution of the subscriber equipment and the packet gateway equipment of consultation business service bearing tunnel, among the embodiment, by in internet key exchange authentication response, some existing field being provided with self-defined value, indicate the non-encrypted tunnel of bearer service by this self-defined value.Certainly, the field that can select to be used to be provided with self-defined value in the internet key exchange authentication response has a plurality of, there is the field of privately owned value part all can, for example also can exchange in the authentication response at internet key, the value of protocol identification field in the security suggestion load is set, with the non-encrypted tunnel of indication bearer service.During enforcement, carry out self-defined to the privately owned value part of protocol identification field in the security suggestion load, the value of protocol identification field and the corresponding relation in non-encrypted tunnel in the predefine security suggestion load, thereby in the internet key exchange authentication response of follow-up transmission, by the value of protocol identification field in the security suggestion load is set, with the non-encrypted tunnel of indication bearer service.During the concrete non-encrypted tunnel of implementing to support with aforementioned realization internet key exchange authentication request indication subscriber equipment, custom security proposes that the privately owned value part of protocol identification field is similar in the load, repeats no more here.Equally, here the corresponding relation in the value of protocol identification field and non-encrypted tunnel also can be stored in the device in the predefined security suggestion load, and this device can be a subscriber equipment, also can be packet gateway equipment, can also be the miscellaneous equipment in the network, can provide memory function to get final product; During enforcement, obtain this corresponding relation, to carry out follow-up processing flow from this storage device.
This shows, in the mutual stage of IKEv2 IKE_AUTH, specify the protocol type in non-encrypted tunnel by Protocol id field in the security suggestion load, and distribute given SPI value, but do not specify enciphering and deciphering algorithm and/or consistency check algorithm, can negotiate non-encrypted tunnel, so that the follow-up non-encrypted transmission of carrying out the lower business of security requirement.
In the flow process shown in Figure 1, the non-encrypted tunnel of supporting from subscriber equipment, select before the non-encrypted tunnel of the described business of carrying, can also comprise and determine the service security rank.During concrete enforcement, it is multiple to determine that the low specific implementation of service security rank also can have, for example in internet key exchange authentication request, add the information of indicating services security requirement height, determine the service security rank, follow-uply compare with pre-set level again by this information; In fact, in internet key exchange authentication request, some existing parameters just can the indicating services security requirement height, for example, insert, exist in the communication link under the situation of NAT device at 3GPP, consult in the scene of UDP-IP bearing tunnel, comprise W-APN (WLAN-AccessPointName, wireless local network connecting point title) in the internet key exchange authentication request, utilize W-APN can determine the service security rank; And for example, insert, do not exist in the communication link under the situation of NAT device at 3GPP2, consult in the scene of GRE bearing tunnel, comprise middle domain name (Domain) in the internet key exchange authentication request, utilize domain name also can determine the service security rank.
Be example with the WLAN-3GPP system earlier, introduce the notion of W-APN, Domain among the 3GPP2 and W-APN notion are basic identical.
W-APN is the network identity of WLAN-3GPP system definition.On the one hand, W-APN has identified WLAN-3GPP core net PDG; On the other hand, it has also identified the outside PDN (as ISP network, enterprise network etc.) that connects by this PDG or associated certain type business (as Internet access, WAP business etc.).The name of W-APN comprises following two parts:
The APN network identity: defined external network or business that the mobile subscriber inserts by this PDG, this part is necessary.
APN operator sign: the WLAN-3GPP core net at definition PDG place, this part is optional.
For PDG, what at first need to know is that the mobile subscriber will be allowed to insert which outside PDN or business by PDG, in case after determining, just should plan to connect those outside PDN or professional access point, and on PDG, dispose corresponding W-APN information.
The embodiment of the invention confirms that according to Fig. 1 flow process the mode of customer service safe level height can be: the external network or the business that can insert according to PDG in advance, disposing corresponding W-APN on the PDG equipment or on its AAA Server, and be each W-APN configuration service level of security: for example 1 grade, 2 grades, 3 grades, 4 grades, 5 grades, numeral is big more, level of security is high more, and but the regulation pre-set level is 3 grades, then the service security rank less than 3 grades be the low level security business, can set up non-encrypted tunnel.
Insert, exist in the communication link under the situation of NAT device like this at 3GPP, consult in the scene of UDP-IP bearing tunnel, UE comprises the W-APN of request in the internet key exchange authentication request that sends, PDG carries out authentication and mandate according to the W-APN of request to the user, obtains local or its AAA Server of PDG and goes up this W-APN corresponding service level of security that disposes and determine whether to set up non-encrypted tunnel.Similarly, insert, do not exist in the communication link under the situation of NAT device at 3GPP2, consult in the scene of GRE bearing tunnel, UE comprises the domain name (Domain) of request in the internet key exchange authentication request that sends, PDG carries out authentication and mandate according to the Domain of request to the user, obtains local or its AAA Server of PDG and goes up this Domain corresponding service level of security that disposes and determine whether to set up non-encrypted tunnel.
That is, above-mentioned definite service security rank can comprise when specifically implementing:
Inserting 3GPP or LTE (Long Term Evolution, Long Term Evolution) during network, according to the wireless local network connecting point title in the described internet key exchange authentication request, and default wireless local network connecting point title and other corresponding relation of service security level, determine the service security rank;
Perhaps, when inserting the 3GPP2 network, according to the domain name in the described internet key exchange authentication request, and default domain name and other corresponding relation of service security level, determine the service security rank.
Among another embodiment, in the flow process shown in Figure 1, internet key exchange authentication request can also be carried the information of the encryption tunnel of subscriber equipment support; If follow-up service security is superior to pre-set level, and the information of the encryption tunnel that can support according to subscriber equipment is then selected the encryption tunnel of the described business of carrying from the encryption tunnel that subscriber equipment is supported; The information of in the internet key exchange authentication response that sends, carrying the encryption tunnel of the described business of carrying.Like this, the business higher to security requirement can be set up normal ipsec tunnel, satisfies the high security requirement; According to the service security requirement, can consult ipsec tunnel during enforcement, promptly support the service bearer tunnel of encryption and decryption and/or consistency check, can consult non-encrypted tunnel again, operator is on-premise network flexibly, reduces the cost of packet gateway equipment and subscriber equipment, attracts clients; Non-encrypted tunnel and normal ipsec tunnel can coexist, and promptly can set up non-encrypted tunnel and ipsec tunnel for same user or different user simultaneously according to the security requirement of different business.
Flow process shown in Figure 1 and concrete enforcement can be finished by the equipment that can realize its function, for example are implemented on different network equipments, close equipment as the Packet Based Network such as ePDG gateway among PDG, PDIF, the LTE.
The embodiment of the invention also provides a kind of method of consultation business service bearing tunnel, and its handling process can comprise as shown in Figure 6:
Step 601, transmission internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support;
Step 602, reception internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, the non-encrypted tunnel of the described business of described carrying be packet gateway equipment when the service security rank is lower than pre-set level, select from the non-encrypted tunnel of described subscriber equipment support according to the information in the non-encrypted tunnel of described subscriber equipment support.
Can learn that by flow process shown in Figure 6 in the embodiment of the invention, send internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support; Receive internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, the non-encrypted tunnel of the described business of described carrying is that packet gateway equipment is when the service security rank is lower than pre-set level, select from the non-encrypted tunnel of described subscriber equipment support according to the information in the non-encrypted tunnel of described subscriber equipment support, thereby finish the negotiation in service bearer tunnel, the business that is different from the prior art different level of securitys all adopts IKEv2 to consult ipsec tunnel, but be lower than the business of pre-set level for level of security, negotiating bearer should business non-encrypted tunnel, so that follow-up when carrying out service bearer, not carrying out encryption and decryption handles and/or consistency check, reduction is to the disposal ability requirement of subscriber equipment and packet gateway equipment, reduce the propagation delay time and the equipment cost of message, promote professional treatment effeciency.
When flow process shown in Figure 6 is specifically implemented, send internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support, can comprise:
In the described internet key exchange authentication request that sends, carry indication information, the non-encrypted tunnel that this indication information indicates described subscriber equipment to support;
And/or described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, can comprise:
Indication information is carried in described internet key exchange authentication, the non-encrypted tunnel of the described business of this indication information indication carrying.
Among the embodiment, the indication information that carries in the described internet key exchange authentication request can refer to: the self-defined value of existing field in the described internet key exchange authentication request; Promptly, in the described internet key exchange authentication request that sends, carry indication information, the non-encrypted tunnel that this indication information indicates described subscriber equipment to support, can comprise: in the described internet key exchange authentication request that sends, the self-defined value of existing field is set, with the non-encrypted tunnel of indicating described subscriber equipment to support; For example can be according to the value of protocol identification field and the corresponding relation in non-encrypted tunnel in the predefined security suggestion load, in the described internet key exchange authentication request that sends, the value of protocol identification field in the security suggestion load is set, with the non-encrypted tunnel of indication subscriber equipment support.
The indication information that described internet key exchange authentication response is carried can be: the self-defined value of existing field in the described internet key exchange authentication response; Promptly, indication information is carried in described internet key exchange authentication, the non-encrypted tunnel of the described business of this indication information indication carrying, can comprise: the self-defined value of existing field in the described internet key exchange authentication response, indication is according to this value and the predefined value of existing field and the corresponding relation in non-encrypted tunnel, the non-encrypted tunnel of definite described business of carrying of being somebody's turn to do; For example can comprise: the value of protocol identification field in the security suggestion load in the described internet key exchange authentication response, indication is according to the value of protocol identification field and the corresponding relation in non-encrypted tunnel in this value and the predefined security suggestion load, the non-encrypted tunnel of definite described business of carrying.
Same, here the corresponding relation in the value of protocol identification field and non-encrypted tunnel can be stored in the device in the predefined security suggestion load, and this device can be a subscriber equipment, also can be packet gateway equipment, can also be the miscellaneous equipment in the network, can provide memory function to get final product; During enforcement, obtain this corresponding relation, to carry out follow-up processing flow from this storage device.
Among another embodiment, described internet key exchange authentication request can also be carried the information of the encryption tunnel of subscriber equipment support; The internet key exchange authentication response that then receives can also be carried the information of the encryption tunnel of the described business of carrying, the encryption tunnel of the described business of described carrying is that packet gateway equipment is when service security is superior to pre-set level, the information of the encryption tunnel of supporting according to subscriber equipment is selected from the encryption tunnel of subscriber equipment support.
The concrete enforcement of aforementioned flow process shown in Figure 6 and the concrete enforcement of flow process shown in Figure 1 are similar, repeat no more here.Flow process shown in Figure 6 and concrete enforcement can be finished by the equipment that can realize its function, for example be implemented on different subscriber equipmenies, as can being that 3GPP inserts, existing in the communication link under the situation of NAT device, consulting the UE in the scene of UDP-IP bearing tunnel, or be that 3GPP2 inserts, do not exist in the communication link under the situation of NAT device, consult the MS (Mobile Station) in the scene of GRE bearing tunnel.
For ease of understanding, the scene that 3GPP inserts, exists in the communication link under the situation of NAT device, consults the UDP-IP bearing tunnel in the following first brief description prior art, and 3GPP2 inserts, the scene that do not exist in the communication link under the situation of NAT device, consult the GRE bearing tunnel.
3GPP (3rd Generation Partnership Project, third generation partner program) working group proposes 3GPP-WLAN (Wireless Local Area Network, WLAN (wireless local area network)) Interworking (intercommunication) notion, allow WLAN user to insert the 3GPP network, use 3GPP business and function.Definition WLAN UE (User Equipment, subscriber equipment) uses IKEv2 as the signaling that inserts PDG (Packet Data Gateway, packet data gateway) in the standard.
The WLAN session is set up in the flow process, finishes the negotiation of IKE_SA between UE and the PDG earlier, sets up safety chain for follow-up signaling transmission, carries out EAP-AKA (EAP:Extensible Authentication Protocol, Extensible Authentication Protocol between the two again; AKA:Authentication and Key Agreement, authentication and key agreement) verification process, just UE and 3GPP AAA (Authentication, Authorization and Accounting, authentication), HSS (Home Subscriber Server, home signature user server)/and service access verification process between the HLR (Home Location Register, attaching position register), authentication method is EAP-AKA.Finish UE, PDG communicating pair affirmation afterwards, consult to finish first IPSec_SA simultaneously IKE_SA_INIT message.If the user has multi-business flow, need set up new ipsec security service channel, then extra again increasing once exchanges.
3GPP2 working group also with WLAN as a kind of very important access means, allow WLAN UE to insert the 3GPP2 core net by PDIF (Packet Data Interworking Function, grouped data IWF).3GPP2 supports multiple access scene, for example insert the scene of CDMA2000 (Code Division Multiple Access 2000 CDMA 2000) for WLAN UE, insert to handle with 3GPP in similar, finish the negotiation of IKE SA earlier, finish the service access authentication of MS and CDMA2000H-AAA again, and finish MS and the affirmation of PDIF communicating pair IKE_SA_INIT and the negotiation of IPSec_SA.Utilize the ipsec security tunnel of setting up to carry out the user data service flow transmission afterwards.
Lift the method for consultation business service bearing tunnel in the instantiation explanation embodiment of the invention below.This example implements that scene is that 3GPP inserts, exist in the communication link under the situation of NAT device, consult the UDP-IP bearing tunnel.
As shown in Figure 7, the concrete implementing procedure of this example can comprise:
Step 701, subscriber equipment (UE) are initiated the IKE_SA_INIT request to packet data gateway (PDG);
Step 702, PDG return IKE_SA_INIT to UE and reply; By step 701,702 enforcement, the IKE_SA_INIT stage by NAT_Di (being NAT_DETECT_SOURCE_IP), NAT_Dr (being NAT_DETECT_DESTINATION_IP), can detect whether NAT device is arranged between UE and the PDG, and NAT direction, and be that follow-up IKEv2 message is created a safety encipher passage, the safety encipher passage here is to create for the negotiations process in service bearer tunnel, is different from the non-encrypted tunnel or the encryption tunnel of the follow-up bearer service that negotiates;
Step 703, UE initiate internet key exchange authentication request (IKE_AUTH Request) to PDG, carry UE ID, the W-APN of encryption, non-encrypted tunnel and encryption tunnel, the cryptographic algorithm etc. of support in the message, be used to ask authentification of user and mandate, and request consults to create the bearing tunnel of transmission user business data flow;
Exist under the situation of NAT, PDG carries out authentication and authorization by the W-APN to user's request, obtain this W-APN corresponding service level of security of preserving on PDG this locality or its AAA Server and judge the service security rank to be lower than pre-set level, then from internet key exchange authentication request, obtain the information in the non-encrypted tunnel of subscriber equipment support, and then, from the non-encrypted tunnel that subscriber equipment is supported, select the non-encrypted tunnel of the described business of carrying according to this information; IKE_AUTH by step 706 replys, return the non-encrypted tunnel that PDG selects the described business of carrying of foundation, UDP-IP tunnel for example, the main field data value of the security suggestion load among the SA that the IKE_AUTH of step 706 replys can be as follows: Protocol ID=201, SPI Size=4, #of Transforms=0, SPI=0xXXXXXXXX.By Protocol ID=201 wherein, the non-encrypted tunnel of indicating the described business of selected carrying is a UDP-IP bearing tunnel mode.Just consult to have set up the non-encrypted tunnel of UDP-IP bearing tunnel mode like this between UE and the PDG.
After consulting to have set up non-encrypted tunnel, business is carried by non-encrypted tunnel, and respectively carrying network segment message format in the customer service stream transmission procedure can be as shown in Figure 8.
Among Fig. 8, PDG can comprise the processing procedure of uplink packet: the customer service bag that UE sends is encapsulated as IP+UDP+SPI+IP (Service) form, and outer IP source address is the UE local address, can be private net address, and destination address is PDG Wu logic interfacing address.Channel message gateway receive the back according to bag in SPI search user's context, the decapsulation uplink packet is also transmitted IP (Service) bag of internal layer to network side PDN.Downstream packets is handled in contrast.
Above-mentioned handling process is when the service security rank is lower than pre-set level, the non-encrypted tunnel of negotiating bearer business; Certainly, be superior to pre-set level as if service security in the enforcement, the encryption tunnel of all right negotiating bearer business:
Exist under the situation of NAT, PDG carries out authentication and authorization by the W-APN to user's request, obtain this W-APN corresponding service level of security of preserving on PDG this locality or its AAA Server and judge service security to be superior to pre-set level, then from the encryption tunnel that subscriber equipment is supported, select the encryption tunnel of the described business of carrying; Send the internet key exchange authentication response of the encryption tunnel of the described business of indication carrying, just consult to have set up encryption tunnel like this between UE and the PDG;
During concrete enforcement, at first after step 703, carry out the EAP-AKA verification process between UE and the PDG, between UE and 3GPP AAA, HSS/HLR, carry out the service access authentication; Again by following flow implementation step 704-step 706:
Step 704, packet data gateway are replied (IKE_AUTH Response), notifying user equipment authentication success by IKE_AUTH;
Step 705, subscriber equipment exchange authentication request (IKE_AUTH Request) by internet key, and IKE_SA_INIT request message in the step 701 is confirmed, the message that shows step 701 and step 705 is that same legal users equipment sends;
Step 706, reply (IKE_AUTH Response) by IKE_AUTH and finish UE, PDG communicating pair affirmation, consult to finish first IPSec_SA simultaneously IKE_SA_INIT message;
If the user has multi-business flow, need set up new ipsec security service channel, then reply (CREATE_CHILD_SA) by the sub-Security Association of establishment of sub-Security Association request of the establishment of step 707 (CREATE_CHILD_SA) and step 708, extra again increasing once exchanges.
Lift the method for consultation business service bearing tunnel in the instantiation explanation embodiment of the invention below again.This example implements that scene is that 3GPP2 inserts, do not exist in the communication link under the situation of NAT device, consult the GRE bearing tunnel.
As shown in Figure 9, the concrete implementing procedure of this example can comprise:
Step 901, detect in the IKE_SA_INIT stage whether NAT device is arranged between MS and the PDIF, and the NAT direction.
Step 902, MS send internet key exchange authentication request to PDIF, and (IKE_AUTH CFG_REQUEST), carries the MS ID of encryption, non-encrypted tunnel and encryption tunnel, the cryptographic algorithm etc. of support in the message;
Under the situation that does not have NAT, PDIF is by Domain (domain name) in the IDi load in the exchange of the internet key in the step 902 authentication request, through after the authentication and authorization, obtain the service security rank of the request corresponding with Domain, if the service security rank is lower than pre-set level, then from internet key exchange authentication request, obtain the information in the non-encrypted tunnel of subscriber equipment support, and then according to this information, from the non-encrypted tunnel that subscriber equipment is supported, select for example gre tunneling of a kind of tunnel, IKE_AUTH by step 906 replys, return the non-encrypted tunnel that PDIF selects the described business of carrying of foundation, gre tunneling for example, in the SA load that the IKE_AUTH of step 906 replys, the main field data value of security suggestion load is as follows: Protocol ID=204, SPI Size=4, #of Transforms=0, SPI=0xYYYYYYYY.By Protocol ID=204 wherein, the non-encrypted tunnel of indicating the described business of selected carrying is a GRE bearing tunnel mode.Just consult to have set up the non-encrypted bearing tunnel of GRE bearing tunnel mode like this between MS and the PDIF.
After consulting to have set up non-encrypted tunnel, utilize non-encrypted tunnel to carry out professional carrying transmission, respectively carrying network segment message format in the customer service stream transmission procedure can be as shown in figure 10.
Among Figure 10, PDIF can comprise the processing procedure of uplink packet: when MS sent, the customer service bag was encapsulated as IP+GRE+IP (Service) form, and outer IP source address is the MS local address, can be private net address, destination address be the IP address of PDIF logic interfacing 5.It is that PDIF searches user's context at the SPI of IKE_AUTH stage appointment according to GRE Key in wrapping that channel message receives the back at gateway, the decapsulation uplink packet, and pass through VPN (Virtual Private Network, VPN (virtual private network)) tunnel and transmit the customer service bag to network side.Downstream packets is handled in contrast.
Above-mentioned handling process is when the service security rank is lower than pre-set level, the non-encrypted tunnel of negotiating bearer business; Certainly, be superior to pre-set level as if service security in the enforcement, the encryption tunnel of all right negotiating bearer business:
Under the situation that does not have NAT, PDIF is by Domain in the IDi load in the exchange of the internet key in the step 902 authentication request, through after the authentication and authorization, obtain the service security rank of the request corresponding with Domain, if service security is superior to pre-set level, then from the encryption tunnel that subscriber equipment is supported, select the encryption tunnel of the described business of carrying; Send the internet key exchange authentication response of the encryption tunnel of the described business of indication carrying, just consult to have set up encryption tunnel like this between MS and the PDIF;
Concrete enforcement can comprise: first execution in step 903, carry out the service access authentication of MS and CDMA2000H-AAA; Implementation step 904-step 906 again:
Step 904, PDIF by IKE_AUTH reply (IKE_AUTH, CFG_REPLY), notice MS authentication success;
Step 905, MS exchange authentication request (IKE_AUTH by internet key, CFG_REQUEST), IKE_SA_INIT request to the IKE_SA_INIT stage in the step 901 is confirmed, shows that the message in step 901 and the step 905 is that same legal MS sends;
Step 906, reply by IKE_AUTH that (IKE_AUTH CFG_REPLY) finishes MS and the affirmation of PDIF communicating pair IKE_SA_INIT and the negotiation of IPSec_SA;
If the user has multi-business flow, need set up new ipsec security service channel, then reply (CREATE_CHILD_SA) by the sub-Security Association of establishment of sub-Security Association request of the establishment of step 907 (CREATE_CHILD_SA) and step 908, extra again increasing once exchanges.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in the computer read/write memory medium, this program is when carrying out, can comprise all or part of step in the foregoing description method, described storage medium can comprise: ROM, RAM, disk, CD etc.
A kind of packet gateway equipment, subscriber equipment and communication system are also provided in the embodiment of the invention, as described in the following examples.Because the principle that these equipment, system are dealt with problems is similar to the method for consultation business service bearing tunnel, so the enforcement of these equipment, system can be referring to the enforcement of method, and the repetition part repeats no more.
As shown in figure 11, the packet gateway equipment in the embodiment of the invention can comprise:
Receiver module 1101 is used to receive internet key exchange authentication request, and described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support;
Select module 1102, be used for when the service security rank is lower than pre-set level, the information in the non-encrypted tunnel of supporting according to described subscriber equipment is selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported;
Sending module 1103 is used to send internet key exchange authentication response, and described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying.
Shown in Figure 12 A, among the embodiment, packet gateway equipment shown in Figure 11 can also comprise:
First determination module 1201 can be used for:
When inserting 3GPP or LTE network, according to the wireless local network connecting point title in the described internet key exchange authentication request, and default wireless local network connecting point title and other corresponding relation of service security level, determine the service security rank; Or,
When inserting the 3GPP2 network, according to the domain name in the described internet key exchange authentication request, and default domain name and other corresponding relation of service security level, determine the service security rank.
Shown in Figure 12 B, among the embodiment, packet gateway equipment shown in Figure 11 can also comprise:
Second determination module 1202 is used for reading the indication information that described internet key exchange authentication request is carried, the non-encrypted tunnel that this indication information indicates described subscriber equipment to support; According to this indication information, determine the non-encrypted tunnel that described subscriber equipment is supported;
And/or sending module 1103 specifically can be used for:
In the described internet key exchange authentication response that sends, carry indication information, the non-encrypted tunnel of the described business of this indication information indication carrying.
Among the embodiment, the indication information that carries in the described internet key exchange authentication request can be: the self-defined value of existing field in the described internet key exchange authentication request; That is, second determination module 1202 specifically can be used for:
Read the self-defined value of existing field in the described internet key exchange authentication request, the self-defined value that should have field is indicated the non-encrypted tunnel of described subscriber equipment support, according to the self-defined value of this existing field, determine the non-encrypted tunnel that described subscriber equipment is supported;
The indication information that carries in the described internet key exchange authentication response can be: the self-defined value of existing field in the described internet key exchange authentication response; That is, sending module 1103 specifically can be used for: in the described internet key exchange authentication response that sends, the self-defined value of existing field is set, with the non-encrypted tunnel of the described business of indication carrying.
Among the embodiment, described internet key exchange authentication request is also carried the information of the encryption tunnel of described subscriber equipment support; Select module 1102 to be used for: when service security was superior to pre-set level, the information of the encryption tunnel of supporting according to described subscriber equipment was selected the encryption tunnel of the described business of carrying from the encryption tunnel that described subscriber equipment is supported; Described internet key exchange authentication response is also carried the information of the encryption tunnel of the described business of carrying.
As shown in figure 13, the subscriber equipment in the embodiment of the invention can comprise:
Sending module 1301 is used to send internet key exchange authentication request, and described internet key exchange authentication request is carried the information in the non-encrypted tunnel of described subscriber equipment support;
Receiver module 1302, be used to receive internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, the non-encrypted tunnel of the described business of described carrying be packet gateway equipment when the service security rank is lower than pre-set level, select from the non-encrypted tunnel of described subscriber equipment support according to the information in the non-encrypted tunnel of described subscriber equipment support.
Among the embodiment, sending module 1301 specifically can be used for:
In the described internet key exchange authentication request that sends, carry indication information, the non-encrypted tunnel that this indication information indicates described subscriber equipment to support;
And/or described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, can comprise: indication information is carried in described internet key exchange authentication, the non-encrypted tunnel of the described business of this indication information indication carrying.
Among the embodiment, the indication information that carries in the described internet key exchange authentication request can be: the self-defined value of existing field in the described internet key exchange authentication request; That is, sending module 1301 specifically can be used for: in the described internet key exchange authentication request that sends, the self-defined value of existing field is set, with the non-encrypted tunnel of indicating described subscriber equipment to support;
The indication information that described internet key exchange authentication response is carried can be: the self-defined value of existing field in the described internet key exchange authentication response; Promptly, indication information is carried in described internet key exchange authentication, the non-encrypted tunnel of the described business of this indication information indication carrying, can comprise: the self-defined value of existing field in the described internet key exchange authentication response, indication is according to this value and the predefined value of existing field and the corresponding relation in non-encrypted tunnel, the non-encrypted tunnel of definite described business of carrying of being somebody's turn to do.
Among the embodiment, described internet key exchange authentication request is also carried the information of the encryption tunnel of described subscriber equipment support; Described internet key exchange authentication response is also carried the information of the encryption tunnel of the described business of carrying, the encryption tunnel of the described business of described carrying is that packet gateway equipment is when service security is superior to pre-set level, the information of the encryption tunnel of supporting according to described subscriber equipment is selected from the encryption tunnel of described subscriber equipment support.
As shown in figure 14, the communication system in the embodiment of the invention can comprise:
Packet gateway equipment 1401 is used to receive internet key exchange authentication request, and described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment 1402 supports; When the service security rank was lower than pre-set level, the information in the non-encrypted tunnel of supporting according to subscriber equipment 1402 was selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that subscriber equipment 1402 is supported; Send internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying;
Subscriber equipment 1402 is used to send described internet key exchange authentication request; Receive described internet key exchange authentication response.
Among the embodiment, packet gateway equipment 1401 also can be used for:
When inserting third generation partner program 3GPP or Long Term Evolution LTE network, according to the wireless local network connecting point title in the described internet key exchange authentication request, and default wireless local network connecting point title and other corresponding relation of service security level, determine the service security rank; Or,
When inserting the 3GPP2 network, according to the domain name in the described internet key exchange authentication request, and default domain name and other corresponding relation of service security level, determine the service security rank.
In the embodiment of the invention, receive internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support; When the service security rank was lower than pre-set level, the information in the non-encrypted tunnel of supporting according to described subscriber equipment was selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported; Send internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, thereby finish the negotiation in service bearer tunnel, the business that is different from the prior art different level of securitys all adopts IKEv2 to consult ipsec tunnel, but be lower than the business of pre-set level for level of security, negotiating bearer should business non-encrypted tunnel, so that it is follow-up when carrying out service bearer, not carrying out encryption and decryption handles and/or consistency check, reduction is to the disposal ability requirement of subscriber equipment and packet gateway equipment, reduce the propagation delay time and the equipment cost of message, promote professional treatment effeciency.
In the embodiment of the invention, send internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support; Receive internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, the non-encrypted tunnel of the described business of described carrying is that packet gateway equipment is when the service security rank is lower than pre-set level, select from the non-encrypted tunnel of described subscriber equipment support according to the information in the non-encrypted tunnel of described subscriber equipment support, thereby finish the negotiation in service bearer tunnel, the business that is different from the prior art different level of securitys all adopts IKEv2 to consult ipsec tunnel, but be lower than the business of pre-set level for level of security, negotiating bearer should business non-encrypted tunnel, so that it is follow-up when carrying out service bearer, not carrying out encryption and decryption handles and/or consistency check, reduction is to the disposal ability requirement of subscriber equipment and packet gateway equipment, reduce the propagation delay time and the equipment cost of message, promote professional treatment effeciency.
The embodiment of the invention is little to the existing protocol influence, helps the follow-up evolution of packet gateway equipment and subscriber equipment; In concrete the enforcement, during the ePDG gateway of subscriber equipment in inserting PDG, PDIF and LTE, can determine the service security requirement by W-APN/Domain, and according to the service security requirement, consult ipsec tunnel, promptly support the tunnel of encryption and decryption and/or consistency check, perhaps consult non-encrypted tunnel, the customer service lower to security requirement, can set up non-encrypted tunnel, not carry out encryption and decryption and/or consistency check, reduce disposal ability requirement subscriber equipment and packet gateway equipment, reduce propagation delay time, and equipment cost; The customer service higher to security requirement can be set up normal ipsec tunnel, satisfies the high security requirement.Operator's on-premise network flexibly reduces packet gateway equipment and subscriber equipment cost like this, attracts clients.
The embodiment of the invention supports that also NAT passes through, and can consult to create different non-encrypted bearing tunnels according to whether there being NAT in the communication link.
Above-described specific embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is specific embodiments of the invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (20)

1. the method for a consultation business service bearing tunnel is characterized in that, this method comprises:
Receive internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support;
When the service security rank was lower than pre-set level, the information in the non-encrypted tunnel of supporting according to described subscriber equipment was selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported;
Send internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying.
2. the method for claim 1 is characterized in that, selects also to comprise before the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported:
When inserting third generation partner program 3GPP or Long Term Evolution LTE network, according to the wireless local network connecting point title in the described internet key exchange authentication request, and default wireless local network connecting point title and other corresponding relation of service security level, determine the service security rank; Or,
When inserting the 3GPP2 network, according to the domain name in the described internet key exchange authentication request, and default domain name and other corresponding relation of service security level, determine the service security rank.
3. the method for claim 1 is characterized in that, selects also to comprise before the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported:
Read the indication information that carries in the described internet key exchange authentication request, the non-encrypted tunnel that described subscriber equipment is supported according to this indication information, is determined in the non-encrypted tunnel that this indication information indicates described subscriber equipment to support;
And/or, described transmission internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, comprising:
In the described internet key exchange authentication response that sends, carry indication information, the non-encrypted tunnel of the described business of this indication information indication carrying.
4. method as claimed in claim 3 is characterized in that, the indication information that carries in the described internet key exchange authentication request is meant: the self-defined value of existing field in the described internet key exchange authentication request;
The indication information that carries in the described internet key exchange authentication response is meant: the self-defined value of existing field in the described internet key exchange authentication response.
5. the method for claim 1 is characterized in that, described internet key exchange authentication request is also carried the information of the encryption tunnel of described subscriber equipment support;
Described method also comprises:
When service security was superior to pre-set level, the information of the encryption tunnel of supporting according to described subscriber equipment was selected the encryption tunnel of the described business of carrying from the encryption tunnel that described subscriber equipment is supported;
Described internet key exchange authentication response is also carried the information of the encryption tunnel of the described business of carrying.
6. the method for a consultation business service bearing tunnel is characterized in that, this method comprises:
Send internet key exchange authentication request, described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support;
Receive internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, the non-encrypted tunnel of the described business of described carrying be packet gateway equipment when the service security rank is lower than pre-set level, select from the non-encrypted tunnel of described subscriber equipment support according to the information in the non-encrypted tunnel of described subscriber equipment support.
7. method as claimed in claim 6 is characterized in that, sends internet key exchange authentication request, and described internet key exchange authentication request is carried the information in the non-encrypted tunnel of described subscriber equipment support, comprising:
In the described internet key exchange authentication request that sends, carry indication information, the non-encrypted tunnel that this indication information indicates described subscriber equipment to support;
And/or described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, comprising:
Described internet key exchange authentication response is carried indication information, the non-encrypted tunnel of the described business of this indication information indication carrying.
8. method as claimed in claim 7 is characterized in that, the indication information that carries in the described internet key exchange authentication request is meant: the self-defined value of existing field in the described internet key exchange authentication request;
The indication information that described internet key exchange authentication response is carried is meant: the self-defined value of existing field in the described internet key exchange authentication response.
9. method as claimed in claim 6 is characterized in that, described internet key exchange authentication request is also carried the information of the encryption tunnel of described subscriber equipment support;
Described internet key exchange authentication response is also carried the information of the encryption tunnel of the described business of carrying, the encryption tunnel of the described business of described carrying is that packet gateway equipment is when service security is superior to pre-set level, the information of the encryption tunnel of supporting according to described subscriber equipment is selected from the encryption tunnel of described subscriber equipment support.
10. a packet gateway equipment is characterized in that, this equipment comprises:
Receiver module is used to receive internet key exchange authentication request, and described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support;
Select module, be used for when the service security rank is lower than pre-set level, the information in the non-encrypted tunnel of supporting according to described subscriber equipment is selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported;
Sending module is used to send internet key exchange authentication response, and described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying.
11. packet gateway equipment as claimed in claim 10 is characterized in that, also comprises:
First determination module is used for:
When inserting 3GPP or LTE network, according to the wireless local network connecting point title in the described internet key exchange authentication request, and default wireless local network connecting point title and other corresponding relation of service security level, determine the service security rank; Or,
When inserting the 3GPP2 network, according to the domain name in the described internet key exchange authentication request, and default domain name and other corresponding relation of service security level, determine the service security rank.
12. packet gateway equipment as claimed in claim 10 is characterized in that, also comprises:
Second determination module is used for reading the indication information that described internet key exchange authentication request is carried, the non-encrypted tunnel that this indication information indicates described subscriber equipment to support; According to this indication information, determine the non-encrypted tunnel that described subscriber equipment is supported;
And/or described sending module specifically is used for:
In the described internet key exchange authentication response that sends, carry indication information, the non-encrypted tunnel of the described business of this indication information indication carrying.
13. packet gateway equipment as claimed in claim 12 is characterized in that, the indication information that carries in the described internet key exchange authentication request is meant: the self-defined value of existing field in the described internet key exchange authentication request;
The indication information that carries in the described internet key exchange authentication response is meant: the self-defined value of existing field in the described internet key exchange authentication response.
14. packet gateway equipment as claimed in claim 10 is characterized in that, described internet key exchange authentication request is also carried the information of the encryption tunnel of described subscriber equipment support;
Described selection module also is used for: when service security was superior to pre-set level, the information of the encryption tunnel of supporting according to described subscriber equipment was selected the encryption tunnel of the described business of carrying from the encryption tunnel that described subscriber equipment is supported;
Described internet key exchange authentication response is also carried the information of the encryption tunnel of the described business of carrying.
15. a subscriber equipment is characterized in that, comprising:
Sending module is used to send internet key exchange authentication request, and described internet key exchange authentication request is carried the information in the non-encrypted tunnel of described subscriber equipment support;
Receiver module, be used to receive internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, the non-encrypted tunnel of the described business of described carrying be packet gateway equipment when the service security rank is lower than pre-set level, select from the non-encrypted tunnel of described subscriber equipment support according to the information in the non-encrypted tunnel of described subscriber equipment support.
16. subscriber equipment as claimed in claim 15 is characterized in that, described sending module specifically is used for:
In the described internet key exchange authentication request that sends, carry indication information, the non-encrypted tunnel that this indication information indicates described subscriber equipment to support;
And/or described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying, comprising:
Described internet key exchange authentication response is carried indication information, the non-encrypted tunnel of the described business of this indication information indication carrying.
17. subscriber equipment as claimed in claim 16 is characterized in that, the indication information that carries in the described internet key exchange authentication request is meant: the self-defined value of existing field in the described internet key exchange authentication request;
The indication information that described internet key exchange authentication response is carried is meant: the self-defined value of existing field in the described internet key exchange authentication response.
18. subscriber equipment as claimed in claim 15 is characterized in that, described internet key exchange authentication request is also carried the information of the encryption tunnel of described subscriber equipment support;
Described internet key exchange authentication response is also carried the information of the encryption tunnel of the described business of carrying, the encryption tunnel of the described business of described carrying is that packet gateway equipment is when service security is superior to pre-set level, the information of the encryption tunnel of supporting according to described subscriber equipment is selected from the encryption tunnel of described subscriber equipment support.
19. a communication system is characterized in that, comprising:
Packet gateway equipment is used to receive internet key exchange authentication request, and described internet key exchange authentication request is carried the information in the non-encrypted tunnel of subscriber equipment support; When the service security rank was lower than pre-set level, the information in the non-encrypted tunnel of supporting according to described subscriber equipment was selected the non-encrypted tunnel of the described business of carrying from the non-encrypted tunnel that described subscriber equipment is supported; Send internet key exchange authentication response, described internet key exchange authentication response is carried the information in the non-encrypted tunnel of the described business of carrying;
Described subscriber equipment is used to send described internet key exchange authentication request; Receive described internet key exchange authentication response.
20. communication system as claimed in claim 19 is characterized in that, described packet gateway equipment is further used for:
When inserting third generation partner program 3GPP or Long Term Evolution LTE network, according to the wireless local network connecting point title in the described internet key exchange authentication request, and default wireless local network connecting point title and other corresponding relation of service security level, determine the service security rank; Or,
When inserting the 3GPP2 network, according to the domain name in the described internet key exchange authentication request, and default domain name and other corresponding relation of service security level, determine the service security rank.
CN 200910209427 2009-10-30 2009-10-30 Method, device and system for negotiating business bearing tunnels Active CN102055733B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200910209427 CN102055733B (en) 2009-10-30 2009-10-30 Method, device and system for negotiating business bearing tunnels

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200910209427 CN102055733B (en) 2009-10-30 2009-10-30 Method, device and system for negotiating business bearing tunnels

Publications (2)

Publication Number Publication Date
CN102055733A true CN102055733A (en) 2011-05-11
CN102055733B CN102055733B (en) 2013-08-07

Family

ID=43959663

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200910209427 Active CN102055733B (en) 2009-10-30 2009-10-30 Method, device and system for negotiating business bearing tunnels

Country Status (1)

Country Link
CN (1) CN102055733B (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752317A (en) * 2012-07-27 2012-10-24 汉柏科技有限公司 Method and system for encryption and decryption of IPSEC (Internet Protocol Security) message
CN105703999A (en) * 2016-03-29 2016-06-22 华为技术有限公司 Method and equipment for establishing GRE channel
CN106254376A (en) * 2016-09-05 2016-12-21 杭州华三通信技术有限公司 A kind of authentication and negotiation method and device
CN107204994A (en) * 2017-07-24 2017-09-26 杭州迪普科技股份有限公司 A kind of method and apparatus that the protection network segment is determined based on IKEv2
CN107302428A (en) * 2017-05-26 2017-10-27 北京国电通网络技术有限公司 The machinery of consultation of the cryptographic algorithm of data transport services in a kind of power distribution network
CN107682284A (en) * 2017-08-02 2018-02-09 华为技术有限公司 Send the method and the network equipment of message
CN108574589A (en) * 2017-03-10 2018-09-25 华为技术有限公司 A kind of maintaining method, the apparatus and system in internet protocol security tunnel
CN109246138A (en) * 2018-10-23 2019-01-18 深信服科技股份有限公司 Resource access method and device, VPN terminal and medium based on Virtual Private Network
CN111903105A (en) * 2018-03-27 2020-11-06 微软技术许可有限责任公司 Multiplex secure tunnel
CN113572766A (en) * 2021-07-23 2021-10-29 南方电网数字电网研究院有限公司 Power data transmission method and system
WO2022002098A1 (en) * 2020-06-30 2022-01-06 中兴通讯股份有限公司 Information sending method, information receiving method and network
CN115242560A (en) * 2022-09-23 2022-10-25 浙江大华技术股份有限公司 Multichannel data transmission method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1643947A (en) * 2002-03-20 2005-07-20 Ut斯达康有限公司 Method to provide dynamic internet protocol security policy service
CN1812406A (en) * 2004-12-21 2006-08-02 株式会社理光 Communication apparatus, communication method, communication program and recording medium
CN1863048A (en) * 2005-05-11 2006-11-15 中兴通讯股份有限公司 Method of internet key exchange consultation between user and cut-in apparatus
CN101079804A (en) * 2006-05-25 2007-11-28 华为技术有限公司 Method for establishing tunnel in interconnection between WiMAX and 3GPP
CN101351019A (en) * 2007-07-20 2009-01-21 华为技术有限公司 Access gateway, terminal as well as method and system for establishing data connection
WO2009068603A2 (en) * 2007-11-30 2009-06-04 Thales Method for securing a bi-directional communication channel and device for implementing said method
US20090310622A1 (en) * 2008-06-12 2009-12-17 Alcatel Lucent Minimal GAN RTP packet length via multi-level header compression

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1643947A (en) * 2002-03-20 2005-07-20 Ut斯达康有限公司 Method to provide dynamic internet protocol security policy service
CN1812406A (en) * 2004-12-21 2006-08-02 株式会社理光 Communication apparatus, communication method, communication program and recording medium
CN1863048A (en) * 2005-05-11 2006-11-15 中兴通讯股份有限公司 Method of internet key exchange consultation between user and cut-in apparatus
CN101079804A (en) * 2006-05-25 2007-11-28 华为技术有限公司 Method for establishing tunnel in interconnection between WiMAX and 3GPP
CN101351019A (en) * 2007-07-20 2009-01-21 华为技术有限公司 Access gateway, terminal as well as method and system for establishing data connection
WO2009068603A2 (en) * 2007-11-30 2009-06-04 Thales Method for securing a bi-directional communication channel and device for implementing said method
US20090310622A1 (en) * 2008-06-12 2009-12-17 Alcatel Lucent Minimal GAN RTP packet length via multi-level header compression

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752317A (en) * 2012-07-27 2012-10-24 汉柏科技有限公司 Method and system for encryption and decryption of IPSEC (Internet Protocol Security) message
CN105703999A (en) * 2016-03-29 2016-06-22 华为技术有限公司 Method and equipment for establishing GRE channel
CN105703999B (en) * 2016-03-29 2019-06-11 华为技术有限公司 The method and apparatus for establishing gre tunneling
CN106254376A (en) * 2016-09-05 2016-12-21 杭州华三通信技术有限公司 A kind of authentication and negotiation method and device
CN106254376B (en) * 2016-09-05 2019-10-11 新华三技术有限公司 A kind of authentication and negotiation method and device
CN108574589A (en) * 2017-03-10 2018-09-25 华为技术有限公司 A kind of maintaining method, the apparatus and system in internet protocol security tunnel
CN107302428A (en) * 2017-05-26 2017-10-27 北京国电通网络技术有限公司 The machinery of consultation of the cryptographic algorithm of data transport services in a kind of power distribution network
CN107204994B (en) * 2017-07-24 2019-09-17 杭州迪普科技股份有限公司 A kind of method and apparatus that protection network segment is determined based on IKEv2
CN107204994A (en) * 2017-07-24 2017-09-26 杭州迪普科技股份有限公司 A kind of method and apparatus that the protection network segment is determined based on IKEv2
CN107682284A (en) * 2017-08-02 2018-02-09 华为技术有限公司 Send the method and the network equipment of message
CN107682284B (en) * 2017-08-02 2021-06-01 华为技术有限公司 Method and network equipment for sending message
US11277391B2 (en) 2017-08-02 2022-03-15 Huawei Technologies Co., Ltd. Packet sending method and apparatus
CN111903105A (en) * 2018-03-27 2020-11-06 微软技术许可有限责任公司 Multiplex secure tunnel
CN109246138A (en) * 2018-10-23 2019-01-18 深信服科技股份有限公司 Resource access method and device, VPN terminal and medium based on Virtual Private Network
WO2022002098A1 (en) * 2020-06-30 2022-01-06 中兴通讯股份有限公司 Information sending method, information receiving method and network
CN113572766A (en) * 2021-07-23 2021-10-29 南方电网数字电网研究院有限公司 Power data transmission method and system
CN115242560A (en) * 2022-09-23 2022-10-25 浙江大华技术股份有限公司 Multichannel data transmission method and device

Also Published As

Publication number Publication date
CN102055733B (en) 2013-08-07

Similar Documents

Publication Publication Date Title
CN102055733B (en) Method, device and system for negotiating business bearing tunnels
US8639936B2 (en) Methods and entities using IPSec ESP to support security functionality for UDP-based traffic
Dragomir et al. A survey on secure communication protocols for IoT systems
Bonetto et al. Secure communication for smart IoT objects: Protocol stacks, use cases and practical examples
CN109150688B (en) IPSec VPN data transmission method and device
CN102801695B (en) Virtual private network (VPN) communication equipment and data pack transmission method thereof
CN101299665B (en) Message processing method, system and apparatus
TW201624960A (en) User-plane security for next generation cellular networks
CN103283203B (en) Security association
FI119863B (en) Verifying the authenticity and rights of the remote customer
CN101300861A (en) Method for connecting a second communication network having a connection node to a first communication network having a contact node
CN105763318B (en) A kind of wildcard obtains, distribution method and device
CN105376239A (en) Method and device for supporting mobile terminal to perform IPSec VPN message transmission
CN103929299A (en) Self-securing lightweight network message transmitting method with address as public key
Dhall et al. Implementation of IPSec protocol
CN102348210A (en) Method and mobile security equipment for security mobile officing
Pérez et al. Architecture of security association establishment based on bootstrapping technologies for enabling secure IoT infrastructures
CN102025742A (en) Negotiation method and device of internet key exchange (IKE) message
CN101478389B (en) Multi-stage security supporting mobile IPSec transmission authentication method
CN114245332A (en) DTLS connection establishment method and system of Internet of things equipment
Ajay et al. Packet encryption for securing real-time Mobile cloud applications
Migault et al. Diet-ESP: IP layer security for IoT
CN104509046B (en) A kind of data communications method, equipment and system
CN101360096A (en) System security planning scheme applied to digital medical
Somaya et al. Secure communication in E-health care system monitoring

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant